Inferencium/website
1
0
Fork 0
Code Issues Activity
website/blog/systemd_insecurity.html
inference d5f96630cc
Revert "Switch from local relative paths to absolute" 
This reverts commit 275a159e1336c62e2030ca6e9f092a5f9035d69e.

Webroot conflicts with local root filesystem and causes broken paths
when opening repository files locally. Revert change from relative to
absolute paths until a solution is found.
2023-11-20 04:29:14 +00:00

98 lines
5.1 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<!-- Inferencium - Website - Blog - #1 -->
<!-- Version: 5.1.0-alpha.2 -->
<!-- Copyright 2022 Jake Winters -->
<!-- SPDX-License-Identifier: BSD-3-Clause -->
<html lang="en">
<head>
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<link rel="stylesheet" href="../main.css"/>
<title>Inferencium - Blog - systemd Insecurity</title>
</head>
<body>
<nav class="navbar">
<div><a href="../index.html"><img src="../asset/img/logo-inferencium-no_text.png" width="110px" height="110px"/></a></div>
<div><a href="../index.html" class="title">Inferencium</a></div>
<div><a href="../about.html">About</a></div>
<div><a href="../contact.html">Contact</a></div>
<div><a href="../blog.html">Blog</a></div>
<div><a href="../documentation.html">Documentation</a></div>
<div><a href="../source.html">Source</a></div>
<div><a href="../key.html">Key</a></div>
<div><a href="../changelog.html">Changelog</a></div>
<div><a href="../directory.html">Directory</a></div>
</nav>
<h1>Blog - #1</h1>
<h2>systemd Insecurity</h2>
<p class="update_date">Posted: 2022-01-29 (UTC+00:00)</p>
<p class="update_date">Updated: 2023-10-31 (UTC+00:00)</p>
<nav id="toc">
<h2 id="toc"><a href="#toc">Table of Contents<a/></h2>
<ul>
<li><a href="#issue-0">Issue #0 - Against CVE Assignment</a></li>
<li><a href="#issue-1">Issue #1 - CVEs Are Not Useful</a></li>
<li><a href="#issue-2">Issue #2 - Security is a Circus</a></li>
<li><a href="#issue-3">Issue #3 - Blaming the User</a></li>
</ul>
</nav>
<p>Anyone who cares about security may want to switch from systemd as soon as possible;
its lead developer doesn't care about your security at all.</p>
<section id="issue-0">
<h2 id="issue-0"><a href="#issue-0">Issue #0 - Against CVE Assignment</a></h2>
<blockquote>"You don't assign CVEs to every single random bugfix we do, do
you?"</blockquote>
<p>- Lennart Poettering, systemd lead developer</p>
<p><b>My thoughts:</b> Yes, if they're security-related.</p>
<p>Source:
<a href="https://github.com/systemd/systemd/pull/5998#issuecomment-303782334">systemd GitHub Issue 5998</a></p>
</section>
<section id="issue-1">
<h2 id="issue-1"><a href="#issue-1">Issue #1 - CVEs Are Not Useful</a></h2>
<blockquote>"Humpf, I am not convinced this is the right way to announce this.
We never did that, and half the CVEs aren't useful anyway, hence I am not sure
we should start with that now, because it is either inherently incomplete or
blesses the nonsensical part of the CVE circus which we really shouldn't
bless..."</blockquote>
<p>- Lennart Poettering, systemd lead developer</p>
<p><b>My thoughts:</b> CVEs are supposed to be for security, and a log of when they
were found and their severity, so yes, it <em>is</em> the correct way to
announce it. It seems as if over 95 security-concious people think the same.</p>
<p>Source:
<a href="https://github.com/systemd/systemd/pull/6225#issuecomment-311739869">systemd GitHub Issue 6225</a></p>
</section>
<section id="issue-2">
<h2 id="issue-2"><a href="#issue-2">Issue #2 - Security is a Circus</a></h2>
<blockquote>"I am not sure I buy enough into the security circus to do that
though for any minor issue..."</blockquote>
<p>- Lennart Poettering, systemd lead developer</p>
<p>Source:
<a href="https://github.com/systemd/systemd/issues/5144#issuecomment-276740654">systemd GitHub Issue 5144</a></p>
</section>
<section id="issue-3">
<h2 id="issue-3"><a href="#issue-3">Issue #3 - Blaming the User</a></h2>
<blockquote>"Yes, as you found out "0day" is not a valid username. I wonder
which tool permitted you to create it in the first place. Note that not
permitting numeric first characters is done on purpose: to avoid ambiguities
between numeric UID and textual user names.<br>
<br>
systemd will validate all configuration data you drop at it, making it hard to
generate invalid configuration. Hence, yes, it's a feature that we don't permit
invalid user names, and I'd consider it a limitation of xinetd that it doesn't
refuse an invalid username.<br>
<br>
So, yeah, I don't think there's anything to fix in systemd here. I understand
this is annoying, but still: the username is clearly not valid."</blockquote>
<p>- Lennart Poettering, systemd lead developer</p>
<p><b>My thoughts:</b> systemd was the thing that allowed root access just because a
username started with a number, then Poettering blamed the user.</p>
<p>Source:
<a href="https://github.com/systemd/systemd/issues/6237#issuecomment-311900864">systemd GitHub Issue 6237</a></p>
</section>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink